Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.CH Removal Advice please?


  • This topic is locked This topic is locked
2 replies to this topic

#1 conwaymark5

conwaymark5

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 13 April 2011 - 03:06 PM

Hi AVG has identified a Win32/Patched.CH virus and despite trying to remove it it keeps popping back. The infected root/file is C:\Windows\System32\Drivers\atapi.sys

I have run the logs and the DDS report is below and I have attached the 'attach file'. Any help appreciated.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MarkDownstairs at 20:57:02.85 on 13/04/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2048.956 [GMT 1:00]
.
AV: AVG Internet Security *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Internet Security *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {34A811A1-D438-CA83-C13E-A23981B1E8F9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\LFOGRPOW.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\MarkDownstairs\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MFFirmwareUpdate] "c:\program files\companion suite pro ll2\firmwaredevice.exe" -v -o "e:\companion\..\firmware\\"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\markdo~1\appdata\roaming\mozilla\firefox\profiles\kuaim9kq.default\
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2011-4-2 12552]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2011-4-2 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-4-2 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-4-2 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-4-2 108552]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\25973\RapportCerberus_25973.sys [2011-4-13 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-3-28 66360]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2011-4-2 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-4-2 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2011-4-2 1370488]
R2 FUSServices;Session Launcher Service;c:\windows\system32\FUSServices.exe [2008-9-3 10752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-3-28 870200]
R3 XMLDIUSB;XML USB Device Interface;c:\windows\system32\drivers\XMLDIUSB.sys [2008-1-16 33152]
R4 RapportCerberus_25641;RapportCerberus_25641;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\25641\RapportCerberus_25641.sys [2011-4-6 56888]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-3-28 53816]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-3-28 158904]
.
=============== Created Last 30 ================
.
2011-04-13 13:28:20 -------- d-----w- c:\program files\eBay
2011-04-07 18:42:20 -------- d-----w- c:\users\markdo~1\appdata\local\Scansoft
2011-04-07 17:36:57 -------- d-----w- c:\users\markdo~1\appdata\roaming\AVS4YOU
2011-04-07 17:36:56 -------- d-----w- c:\progra~2\AVS4YOU
2011-04-07 17:35:40 -------- d-----w- c:\program files\common files\AVSMedia
2011-04-07 17:35:35 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-04-07 17:35:35 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-04-07 17:35:35 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-04-07 17:35:35 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2011-04-07 17:35:34 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-07 17:35:34 -------- d-----w- c:\program files\AVS4YOU
2011-04-07 17:18:54 -------- d-----w- c:\users\markdo~1\appdata\roaming\GetRightToGo
2011-04-07 17:18:07 158208 ----a-w- c:\windows\system32\AI_VideoConverterContextMenu.dll
2011-04-07 17:18:03 892928 ----a-w- c:\windows\system32\iconv.dll
2011-04-07 17:18:03 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-04-07 17:18:03 496640 ----a-w- c:\windows\system32\xvid.ax
2011-04-07 17:18:02 -------- d-----w- c:\program files\Aimersoft
2011-04-07 13:26:58 -------- d-----w- c:\windows\system32\appmgmt
2011-04-07 12:58:31 -------- d-----w- c:\progra~2\eBay
2011-04-07 11:05:56 -------- d-----w- c:\users\markdo~1\appdata\local\QuickPar
2011-04-07 11:05:19 -------- d-----w- c:\program files\QuickPar
2011-04-07 08:27:24 -------- d-----w- c:\users\markdo~1\appdata\local\Monotype Imaging Inc
2011-04-07 07:56:58 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-04-07 07:56:41 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-07 07:45:53 -------- d-----w- c:\program files\common files\ScanSoft Shared
2011-04-07 07:45:49 -------- d-----w- c:\program files\ScanSoft
2011-04-07 07:44:20 86016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\GSIMPPR.DLL
2011-04-07 07:44:07 -------- d-----w- c:\progra~2\Companion Suite Pro LL2
2011-04-07 07:43:49 16896 ----a-w- c:\windows\system32\LFOGRPOW.EXE
2011-04-07 07:43:48 55296 ----a-w- c:\windows\system32\LFOGRPJL.DLL
2011-04-07 07:43:48 13312 ----a-w- c:\windows\system32\LFOGRCOI.DLL
2011-04-07 07:43:31 283136 ----a-w- c:\windows\system32\LF2OEWIA.dll
2011-04-07 07:42:22 22528 ------r- c:\windows\system32\CSPLL2P.dll
2011-04-07 07:42:21 -------- d-----w- c:\program files\Companion Suite Pro LL2
2011-04-06 15:19:27 -------- d-----w- c:\program files\TVersity Codec Pack
2011-04-06 14:32:29 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2011-04-06 14:32:29 50688 ----a-w- c:\windows\system32\ff_acm.acm
2011-04-06 14:32:28 -------- d-----w- c:\program files\ffdshow
2011-04-06 14:30:34 -------- d-----w- c:\progra~2\TVersity
2011-04-06 07:43:39 -------- d-----w- c:\users\markdo~1\appdata\roaming\Trusteer
2011-04-06 07:43:37 -------- d-----w- c:\program files\Trusteer
2011-04-06 07:42:37 -------- d-----w- c:\progra~2\Trusteer
2011-04-06 07:35:57 -------- d-----w- c:\program files\Microsoft Money Plus
2011-04-06 07:33:17 3126 ----a-r- c:\progra~2\microsoft\money\16.0\invoice\stmscrpt.vbs
2011-04-06 07:33:17 3036 ----a-r- c:\progra~2\microsoft\money\16.0\invoice\nvcscrpt.vbs
2011-04-06 07:33:10 -------- d-----w- c:\program files\Microsoft Money 2007
2011-04-04 11:10:30 -------- d--h--w- C:\$AVG8.VAULT$
2011-04-02 22:37:15 -------- d-----w- c:\windows\Panther
2011-04-02 18:55:29 -------- d-----w- c:\users\markdo~1\appdata\local\Adobe
2011-04-02 15:53:26 -------- d-----w- c:\program files\Unzbin
2011-04-02 15:53:02 -------- d-----w- c:\users\markdo~1\appdata\roaming\Unzbin
2011-04-02 15:52:57 -------- d-----w- c:\users\markdo~1\appdata\local\Unzbin.com
2011-04-02 15:36:59 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{750933a2-8c7a-42a2-8cb4-67db78f3e671}\mpengine.dll
2011-04-02 15:36:59 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-02 14:07:23 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-04-02 14:07:23 32656 ----a-w- c:\windows\system32\msonpmon.dll
2011-04-02 14:06:06 -------- d-----w- c:\windows\PCHEALTH
2011-04-02 14:04:54 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-02 14:03:47 -------- d-----w- c:\users\markdo~1\appdata\local\Microsoft Help
2011-04-02 14:01:44 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-04-02 14:01:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-04-02 14:01:44 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-04-02 14:01:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-04-02 14:01:40 -------- d-----w- c:\windows\system32\drivers\Avg
2011-04-02 14:01:31 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2011-04-02 14:01:31 -------- d-----w- c:\program files\AVG
2011-04-02 14:01:30 -------- d-----w- c:\progra~2\avg8
2011-04-02 14:01:08 -------- d-sh--w- c:\windows\Installer
2011-04-02 13:59:03 -------- d-----w- c:\program files\MagicISO
2011-04-02 13:57:45 -------- d-----w- c:\program files\PowerISO
2011-04-02 13:50:36 -------- d-----w- c:\windows\system32\wbem\Performance
2011-04-02 13:44:23 -------- d-sh--w- C:\Recovery
2011-03-30 11:47:48 49152 ----a-r- c:\windows\system32\inetwh32.dll
2011-03-30 11:47:48 1044480 ----a-r- c:\windows\system32\roboex32.dll
2011-03-28 19:32:40 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST3360320AS rev.3.AAM -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85954A9A]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; PUSH EDI; MOV EDI, [EBP+0xc]; MOV ESI, [EDI+0x60]; MOV [EBP-0x1c], ESI; CALL 0xffffffffffffe131; }
1 ntkrnlpa!IofCallDriver[0x82889458] -> \Device\Harddisk0\DR0[0x85A8E030]
3 CLASSPNP[0x88BA459E] -> ntkrnlpa!IofCallDriver[0x82889458] -> [0x859CA918]
5 ACPI[0x834523B2] -> ntkrnlpa!IofCallDriver[0x82889458] -> \IdeDeviceP1T0L0-1[0x859BA908]
[0x85D5CF38] -> IRP_MJ_CREATE -> 0x85954A9A
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskST3360320AS_____________________________3.AAM___#5&147e50a1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 703282606 (+125): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:57:59.73 ===============
Attached File  Attach.txt   5.91KB   2 downloads

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 AM

Posted 16 April 2011 - 02:22 PM

:welcome: to BC.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 AM

Posted 23 April 2011 - 02:02 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users